Why the Wawa Data Breach Serves as a Warning That “Good Enough” is Never Enough

Wawa’s nine-month long network breach resulted in the theft of 31 million payment card records, which are now being sold in the dark web marketplace, Joker’s Stash. It is one of the largest data breaches of all time, on par with the compromise of 50 million customers’ data in the Home Depot breach of 2014, and Target’s 2013 breach that exposed 40 million sets of their customers’ payment data.

The most frustrating part of Wawa’s story? That it could’ve been prevented, or the damage resulting from the e-skimming malware installed on its card readers could have at least been mitigated, by the installation of EMV card readers at their pumps and POS terminals.

Gas stations have long been targets of credit card theft due to the ease of installing card skimmers, but the costs required to make the EMV updates are so high – estimated to be $6 billion for gas terminals in the US alone – that businesses have been hesitant to make the investment.

While the requirement for gas stations to install EMV readers goes into effect in October 2020 (which was pushed back from the original 2017 deadline), it’s becoming increasingly clear that most fuel merchants will miss the deadline.

This complacency, coupled with the unfortunate outcome of the Wawa breach, underscores a greater issue businesses face across industries: the acceptance of the “good enough” mentality in regards to compliance.

Put another way, companies often fall into a trap of convincing themselves that their existing cybersecurity or fraud prevention postures are adequate so long as they’re not experiencing catastrophic breaches or significant monetary losses – the so-called “burn and learn” mentality. They may still be experiencing smaller-scale fraud and cybercrime, but because “the big one” has yet to hit, they’re lulled into a false sense of (relative) security – even if a demonstrably better technology is available.

In the case of gas stations, EMV card readers are a proven and viable method of reducing POS fraud, which work by transforming static credit card numbers into individual, encrypted numbers specific to the transaction.

EMV’s significant impact on credit card fraud reduction in Europe spurred US adoption; while US merchant adoption still hasn’t reached 100%, 68% of all merchants are equipped to process EMV transactions and most transactions occur with chipped cards, according to data released from Visa. From 2015 to 2018, merchants that accept EMV cards saw losses due to counterfeit fraud decline by 80%, while counterfeit fraud losses for all merchants went down by 48%. Yet; less than 30% of fuel merchants have adopted the technology.

Despite the strength of the data supporting the effectiveness of EMV in stopping POS fraud, adopting new technology to meet industry standards is a painful process, particularly for fuel merchants whose EMV retrofit kits cost an average of $5000. Companies understandably don’t want an expensive line item reducing profits for a quarter, even if it’s for necessary infrastructure work – everyone wants growth, but fraud protection is generally considered a “growth killer.”

While this transition to EMV comes at a substantial cost, the greatest cost of delaying the upgrade is in the form of data breaches and the subsequent abuse at the hands of criminals who have acquired stolen credit card or account information.

There’s a hidden cost, too: the erosion of trust and the merchant’s reputation when the onus is unnecessarily put on the consumer to secure their personal information when doing business with the merchant.

In lieu of secure transactions at the pump, industry organizations are encouraging consumers to prepay for their gas inside or jiggle the card reader at the pump to ensure skimmers haven’t been installed. this isn’t something they should have to do, particularly when effective technology exists that can protect the consumer better than any card-jiggling technique ever could.

Whether by switching over to EMV card readers, introducing new authentication protocols, or encrypting user account data, all businesses – not just fuel merchants – should consider security upgrades not a burden, but an essential operational and competitive advantage that not only helps prevent breaches, but relieves customers of having to take security into their own hands.

It’s time to stop asking customers to be on the lookout for skimmers at the gas station, and to start making skimmers irrelevant to begin with.

What’s Hot on Infosecurity Magazine?